Oracle has released its Critical Patch Update for January 2021 to include 329 vulnerability fixes across multiple products.
The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have successfully exploited vulnerabilities because organizations failed to apply the necessary Oracle patches.
As part of the quarterly update, Oracle also mentioned a Security Alert the company issued back in November 2020 for Oracle WebLogic Server vulnerability CVE-2020-14750. The software giant urged organizations to also prioritize this patch in a statement:
“Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”
Oracle Database product patches
This Critical Patch Update has addressed 8 vulnerabilities in Oracle Database products.
Three of the Oracle Database vulnerabilities are rated High severity to include 1 that can be remotely exploited without authentication (listed below along with affected components):
- CVE-2021-2035: RDBMS Scheduler
- CVE-2021-2018: Advanced Networking Option
- CVE-2021-2054: RDBMS Sharding.
In addition, Oracle patched 43 new vulnerabilities in Oracle MySQL, 5 of these vulnerabilities may be remotely exploitable without authentication.
The 2 High severity MySQL product fixes that can be exploited without credentials include (along with products affected):
- CVE-2020-13871: MySQL Workbench
- CVE-2019-10086: MySQL Enterprise Monitor.
Oracle Java patches
Oracle patched just one security vulnerability in Oracle Java SE. Attackers can remotely exploit this flaw, even without user credentials.
The Oracle Java SE and Java SE Embedded vulnerability CVE-2020-14803 is rated Medium severity and carry a CVSS score of 5.3.
Oracle Enterprise Manager patches
The Critical Patch Update also addressed 8 new security vulnerabilities in Oracle Enterprise Manager, all of these can be exploited remotely without user credentials.
Five of the patched vulnerabilities are rated Critical (along with components):
- CVE-2019-13990: Connector Framework (Quartz)
- CVE-2020-11973: Reporting Framework (Apache Camel)
- CVE-2016-1000031: Reporting Framework (Apache Commons FileUpload)
- CVE-2020-11984: Enterprise Manager Ops Center Control Proxy (Apache HTTP Server)
- CVE-2020-10683: Oracle Application Testing Suite Load Testing for Web Apps (dom4j)
In addition, Oracle patched 3 other vulnerabilities (rated High to Medium in severity) as part of Enterprise Manager updates.
Oracle Fusion Middleware patches
Also, Oracle has patched 60 new vulnerabilities in Oracle Fusion Middleware. Attackers could remotely exploit 47 of these vulnerabilities without user authentication.
In all, 16 Critical vulnerabilities in multiple Fusion components were addressed. All of these can be exploited remotely without user authentication.
Other security updates
Finally, Oracle released patches for multiple other products (to include total counts and Critical severity vulnerabilities):
- Oracle Communications Applications (8 total, 0 critical)
- Oracle Communications (12 total, 1 critical)
- Oracle Construction and Engineering Suite (7 total, 1 critical)
- Oracle E-Business Suite (31 total, 3 critical)
- Oracle Financial Services Applications (50 total, 14 critical)
- Oracle Food and Beverage Applications (2 total, 1 critical)
- Oracle GraalVM (2 total, 0 critical)
- Oracle Health Sciences Applications (5 total, 1 critical)
- Oracle Hospitality Applications (0 total, 0 critical)
- Oracle Hyperion (7 total, 2 critical)
- Oracle Insurance Applications (3 total, 0 critical)
- Oracle JD Edwards (5 total, 0 critical)
- Oracle PeopleSoft (8 total, 0 critical)
- Oracle Policy Automation (0 total, 0 critical)
- Oracle Retail Applications (32 total, 4 critical)
- Oracle Siebel CRM (4 total, 0 critical)
- Oracle Supply Chain Products (11 total, 0 critical)
- Oracle Systems (4 total, 1 critical)
- Oracle Utilities Applications (1 total, 1 critical)
- Oracle Virtualization (17 total, 0 critical).
Overall, the 329 January patches are down from the 402 patches released in the October 2020 CPU.
System administrators and users should patch affected products as soon as possible as noted in the Oracle January CPU advisory.